Watch Me, but Don't Touch Me! Contactless Control Flow Monitoring via Electromagnetic Emanations

Trustworthy operation of industrial control systems depends on secure and real-time code execution on the embedded programmable logic controllers (PLCs). The controllers monitor and control the critical infrastructures, such as electric power grids and healthcare platforms, and continuously report back the system status to human operators. We present Zeus, a contactless embedded controller security monitor to ensure its execution control flow integrity. Zeus leverages the electromagnetic emission by the PLC circuitry during the execution of the controller programs. Zeus's contactless execution tracking enables non-intrusive monitoring of security-critical controllers with tight real-time constraints. Those devices often cannot tolerate the cost and performance overhead that comes with additional traditional hardware or software monitoring modules. Furthermore, Zeus provides an air-gap between the monitor (trusted computing base) and the target (potentially compromised) PLC. This eliminates the possibility of the monitor infection by the same attack vectors. Zeus monitors for control flow integrity of the PLC program execution. Zeus monitors the communications between the human machine interface and the PLC, and captures the control logic binary uploads to the PLC. Zeus exercises its feasible execution paths, and fingerprints their emissions using an external electromagnetic sensor. Zeus trains a neural network for legitimate PLC executions, and uses it at runtime to identify the control flow based on PLC's electromagnetic emissions. We implemented Zeus on a commercial Allen Bradley PLC, which is widely used in industry, and evaluated it on real-world control program executions. Zeus was able to distinguish between different legitimate and malicious executions with 98.9% accuracy and with zero overhead on PLC execution by design.

[1]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[2]  J. F. Groote,et al.  The safety guaranteeing system at station Hoorn-Kersenboogerd , 1994, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[3]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[4]  Jürgen Schmidhuber,et al.  Learning to Forget: Continual Prediction with LSTM , 2000, Neural Computation.

[5]  P. I. Barton,et al.  Formal verification of sequence controllers , 2000 .

[6]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[7]  Yuxin Ding,et al.  Host-based intrusion detection using dynamic and static behavioral models , 2003, Pattern Recognit..

[8]  Roman Novak,et al.  Side-Channel Attack on Substitution Blocks , 2003, ACNS.

[9]  Christophe Clavier,et al.  Side Channel Analysis for Reverse Engineering (SCARE) - An Improved Attack Against a Secret A3/A8 GSM Algorithm , 2004, IACR Cryptol. ePrint Arch..

[10]  G. Miller Learning to Forget , 2004, Science.

[11]  Ralf Huuck,et al.  Semantics and Analysis of Instruction List Programs , 2005, SFEDL@ETAPS.

[12]  T. Lewis Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation , 2006 .

[13]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[14]  Marc F. Witteman,et al.  Reverse Engineering Java Card Applets Using Power Analysis , 2007, WISTP.

[15]  Jill Slay,et al.  Lessons Learned from the Maroochy Water Breach , 2007, Critical Infrastructure Protection.

[16]  Armando Solar-Lezama,et al.  Program synthesis by sketching , 2008 .

[17]  Bradley Reaves,et al.  Engineering future cyber-physical energy systems: Challenges, research needs, and roadmap , 2009, 41st North American Power Symposium.

[18]  Debin Gao,et al.  Beyond Output Voting: Detecting Compromised Replicas Using HMM-Based Behavioral Distance , 2009, IEEE Transactions on Dependable and Secure Computing.

[19]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[20]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[21]  Jeffrey H. Reed,et al.  Power fingerprinting in SDR & CR integrity assessment , 2009, MILCOM 2009 - 2009 IEEE Military Communications Conference.

[22]  Christof Paar,et al.  Building a Side Channel Based Disassembler , 2010, Trans. Comput. Sci..

[23]  Charles Elkan,et al.  Expectation Maximization Algorithm , 2010, Encyclopedia of Machine Learning.

[24]  Jeffrey H. Reed,et al.  Detecting unauthorized software execution in SDR using power fingerprinting , 2010, 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE.

[25]  Sidi Ould Biha A Formal Semantics of PLC Programs in Coq , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference.

[26]  Eric Chien,et al.  W32.Duqu: The Precursor to the Next Stuxnet , 2012, LEET.

[27]  Patrick D. McDaniel,et al.  Programmable Logic Controllers , 2012 .

[28]  Michael A. Temple,et al.  Radio-frequency-based anomaly detection for programmable logic controllers in the critical infrastructure , 2012, Int. J. Crit. Infrastructure Prot..

[29]  Keith Mayes,et al.  The B-Side of Side Channel Leakage: Control Flow Security in Embedded Systems , 2013, SecureComm.

[30]  John C. Mulder,et al.  WeaselBoard : zero-day exploit detection for programmable logic controllers. , 2013 .

[31]  Csilla Farkas,et al.  Plc code vulnerabilities through scada systems , 2013 .

[32]  Samuel J Stone Radio Frequency Based Programmable Logic Controller Anomaly Detection , 2013 .

[33]  E. V. Kuzmin,et al.  On construction and verification of PLC programs , 2013, Automatic Control and Computer Sciences.

[34]  Barry E. Mullins,et al.  Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices , 2014, Int. J. Crit. Infrastructure Prot..

[35]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[36]  Márk Félegyházi,et al.  CryPLH: Protecting Smart Energy Systems from Targeted Attacks with a PLC Honeypot , 2014, SmartGridSec.

[37]  Cornelio Yáñez-Márquez,et al.  One-Hot Vector Hybrid Associative Classifier for Medical Data Classification , 2014, PloS one.

[38]  Barbara G. Ryder,et al.  Probabilistic Program Modeling for High-Precision Anomaly Classification , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[39]  H. Farhangi,et al.  A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin , 2015 .

[40]  Michael A. Temple,et al.  Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process , 2015, Int. J. Crit. Infrastructure Prot..

[41]  Adi Shamir,et al.  Physical key extraction attacks on PCs , 2016, Commun. ACM.

[42]  Yuval Yarom,et al.  ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels , 2016, IACR Cryptol. ePrint Arch..

[43]  Raheem A. Beyah,et al.  Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems , 2016, NDSS.

[44]  Wenyuan Xu,et al.  On Code Execution Tracking via Power Side-Channel , 2016, CCS.

[45]  Qing Ling,et al.  On the Convergence of Decentralized Gradient Descent , 2013, SIAM J. Optim..

[46]  Andreas Stolcke,et al.  A comparative study of recurrent neural network models for lexical domain classification , 2016, 2016 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[47]  Saman A. Zonouz,et al.  CPAC: securing critical infrastructure with cyber-physical access control , 2016, ACSAC.

[48]  Lei Zhang,et al.  Beyond a Gaussian Denoiser: Residual Learning of Deep CNN for Image Denoising , 2016, IEEE Transactions on Image Processing.

[49]  Nikolay Kyurkchiev,et al.  On the approximation of the step function by some sigmoid functions , 2017, Math. Comput. Simul..

[50]  Milos Prvulovic,et al.  EDDIE: EM-based detection of deviations in program execution , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).